Lucene search
+L

2903 matches found

NVD
NVD
added 5 days ago6 views

CVE-2026-11963

The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and derives the user to modify from a caller-supplied identifier instead of the current user, allowing any authenticated user such as a subscriber to change...

8.1CVSS0.00201EPSS
Exploits0References1
CVE
CVE
added 5 days ago12 views

CVE-2026-11964

Affected software: User Registration & Membership WordPress plugin (prior to 5.2.2). Vulnerability: The plugin does not verify the authenticity of incoming payment-provider webhook notifications, enabling unauthenticated attackers to forge a payment-approved event. Impact: This can activate a pai...

9.1CVSS6.1AI score0.00261EPSS
Exploits0References1
Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-11964 User Registration & Membership < 5.2.2 - Unauthenticated PayPal Webhook Signature Verification Bypass Leading to Membership Activation

The User Registration & Membership WordPress plugin before 5.2.2 does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved event and activate a paid membership subscription without...

0.00261EPSS
Exploits0References1
Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-11963 User Registration & Membership < 5.2.2 - Subscriber+ Cross-User Role and Membership Tier Modification via IDOR

The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and derives the user to modify from a caller-supplied identifier instead of the current user, allowing any authenticated user such as a subscriber to change...

0.00201EPSS
Exploits0References1
CVE
CVE
added 5 days ago12 views

CVE-2026-11963

Affected product: WordPress plugin “User Registration & Membership” (before 5.2.2). Vulnerability: Missing authorization check on a membership-upgrade action; the target user is derived from a caller-supplied identifier rather than the current user, enabling any authenticated user (e.g., a subscr...

8.1CVSS6.1AI score0.00201EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-57748

Name of the Vulnerable Software and Affected Versions Membership For WooCommerce versions prior to 3.1.1 Description A Path Traversal issue exists in the Membership For WooCommerce plugin. This flaw allows an attacker to access files and directories outside of the intended restricted directory by...

8.6CVSS6.1AI score0.00382EPSS
Exploits0References3
CVE
CVE
added 2026/07/10 1:57 p.m.7 views

CVE-2026-56279

Capgo before 12.128.2 is affected by an information disclosure vulnerability in the get_orgs_v7(userid) RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users’ organization membersh...

8.7CVSS6.2AI score0.00313EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/10 1:57 p.m.10 views

EUVD-2026-42881

Capgo before 12.128.2 contains an information disclosure vulnerability in the getorgsv7userid RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users' organization membership, roles,...

8.7CVSS6.2AI score0.00313EPSS
Exploits0References2
OSV
OSV
added 2026/07/10 1:57 p.m.3 views

CVE-2026-56279 Capgo - Information Disclosure via get_orgs_v7 RPC Endpoint

Capgo before 12.128.2 contains an information disclosure vulnerability in the getorgsv7userid RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users' organization membership, roles,...

8.7CVSS6.2AI score0.00313EPSS
Exploits0References4
Patchstack
Patchstack
added 2026/07/09 2:18 p.m.6 views

WordPress Membership For WooCommerce plugin <= 3.1.0 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by sebbealb in WordPress Plugin Membership For WooCommerce versions = 3.1.0...

8.6CVSS6.1AI score0.00382EPSS
Exploits0Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/09 12:0 a.m.9 views

PT-2026-56993

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.6.0 Discourse versions prior to 2026.5.1 Discourse versions prior to 2026.4.2 Discourse versions prior to 2026.1.5 Description The signup flow allows newly registered users to set the primary group id variable...

8.2CVSS6.1AI score0.00267EPSS
Exploits0References18
Cvelist
Cvelist
added 2026/07/08 1:48 p.m.30 views

CVE-2026-56226 Capgo - Unauthenticated Organization Data Disclosure via get_orgs_v6 RPC

Capgo Cap-go/capgo before 12.128.2 exposes the Supabase PostgREST RPC function public.getorgsv6userid uuid, which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the...

8.7CVSS0.00255EPSS
Exploits0References2
NVD
NVD
added 2026/07/08 12:17 p.m.11 views

CVE-2026-3688

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvmmembershipchange' AJAX action not validating user permission to modify other...

8.1CVSS0.00223EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/08 11:35 a.m.6 views

EUVD-2026-42220

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvmmembershipchange' AJAX action not validating user permission to modify other...

8.1CVSS5.9AI score0.00223EPSS
Exploits0References2
CVE
CVE
added 2026/07/08 11:35 a.m.12 views

CVE-2026-3688

The CVE concerns the WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress. Affected: all versions up to 2.11.10. Root cause: the wcfmvm_membership_change AJAX action does not validate a user’s permission to modify other users, enabling an authenticated vendor...

8.1CVSS5.9AI score0.00223EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/08 11:35 a.m.35 views

CVE-2026-3688 WCFM - WooCommerce Multivendor Membership <= 2.11.10 - Insecure Direct Object Reference to Limited Privilege Escalation via User Role Overwrite

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvmmembershipchange' AJAX action not validating user permission to modify other...

8.1CVSS0.00223EPSS
Exploits0References2
CVE
CVE
added 2026/07/07 10:18 p.m.12 views

CVE-2026-59704

Cap’s GET /api/video/ai endpoint lacks proper ownership/membership validation, exposing private video AI metadata (titles, summaries, chapters) and enabling authenticated attackers to solicit arbitrary video IDs to read sensitive content. This may also trigger unauthorized AI generation that depl...

7.1CVSS6AI score0.00216EPSS
Exploits0References5
Nuclei
Nuclei
added 2026/07/07 4:50 p.m.116 views

WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of...

9.8CVSS7.4AI score0.89431EPSS
Exploits8References5
OSV
OSV
added 2026/07/07 3:26 p.m.7 views

GO-2026-5869 Rancher has over-inclusive team membership expansion in GitHub App authentication provider in github.com/rancher/rancher

Rancher has over-inclusive team membership expansion in GitHub App authentication provider in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

8.8CVSS5.9AI score0.0037EPSS
Exploits0References6
CVE
CVE
added 2026/07/06 6:0 a.m.12 views

CVE-2026-11855

CVE-2026-11855 affects the Simple Membership WordPress plugin prior to 4.7.5. The issue arises because Stripe webhook requests are not authenticated when no signing secret is configured, and a value taken from those requests is not escaped before being output in an administrator notice. This lead...

8.8CVSS6.1AI score0.00301EPSS
Exploits0References1
Rows per page
Query Builder